# {{ ansible_managed }}

[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
{% if vault_use_config_path %}
ConditionPathExists={{ vault_config_path }}
{% else %}
ConditionPathExists={{ vault_main_config }}
{% endif %}

[Service]
User={{ vault_user }}
Group={{ vault_group }}
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
Capabilities=CAP_IPC_LOCK+ep
{% if systemd_version.stdout is version('230', '>=') %}
AmbientCapabilities=CAP_SYSLOG CAP_IPC_LOCK
{% endif %}
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
{% if vault_gcs_copy_sa and vault_gcs_credentials_src_file is defined and vault_gcs_credentials_dst_file|length -%}
Environment=GOOGLE_APPLICATION_CREDENTIALS={{ vault_gcs_credentials_dst_file }}
{% endif -%}
{% if vault_http_proxy -%}
Environment=HTTP_PROXY={{ vault_http_proxy }}
{% endif -%}
{% if vault_https_proxy -%}
Environment=HTTPS_PROXY={{ vault_https_proxy }}
{% endif -%}
{% if vault_no_proxy -%}
Environment=NO_PROXY={{ vault_no_proxy }}
{% endif -%}
ExecStart=/bin/sh -c 'exec {{ vault_bin_path }}/vault server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} -log-level={{ vault_log_level | lower }} {{ vault_exec_output }}'
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitBurst=3
LimitNOFILE=524288
LimitNPROC=524288
LimitMEMLOCK=infinity
LimitCORE=0

[Install]
WantedBy=multi-user.target
